Manual Wildcard Certificates with DNS-01
Manual Wildcard Certificates with DNS-01
The useful lesson here was simple: if I want wildcard certificates, DNS-01 is the practical path.
HTTP-01 is fine for single public hostnames. It is not the right mental model for wildcard coverage across an environment.
Why I used DNS-01
DNS-01 lets me prove control of the zone instead of one HTTP endpoint. That means:
- wildcard certificates are possible
- the gateway does not need a temporary ACME file-serving path for the challenge itself
- certificate issuance is tied to DNS control instead of one running web server
The real tradeoff
The downside is operational, not conceptual.
Without an API-driven DNS provider flow, manual DNS-01 means:
- create the TXT record
- wait for propagation
- complete the challenge
- repeat the process on renewal
That is slower than automated HTTP-01, but for a private or low-frequency setup it can still be the better fit.
What mattered most in practice
The two things that mattered operationally were:
- knowing the exact TXT record shape the provider expects
- verifying propagation before continuing the ACME flow
Once those are clear, the process is mostly routine.